Re: [PATCH v2 1/6] conf: Add new default TLS X.509 certificate default directory

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Thu, Jun 16, 2016 at 06:42:22AM -0400, John Ferlan wrote:
> Rather that specify perhaps multiple TLS X.509 certificate directories,
> let's create a "default" directory which can then be used if the service
> (e.g. for now vnc and spice) does not supply a default directory.
> 
> Since the default for vnc and spice may have existed before without being
> supplied, the default check will first check if the service specific path
> exists and if so, set the cfg entry to that; otherwise, the default will
> be set to the (now) new defaultTLSx509certdir.
> 
> Signed-off-by: John Ferlan <jferlan@xxxxxxxxxx>
> ---
>  src/qemu/libvirtd_qemu.aug         |  5 ++++-
>  src/qemu/qemu.conf                 | 36 ++++++++++++++++-----------------
>  src/qemu/qemu_conf.c               | 41 ++++++++++++++++++++++++++++++++------
>  src/qemu/qemu_conf.h               |  2 ++
>  src/qemu/test_libvirtd_qemu.aug.in |  1 +
>  5 files changed, 60 insertions(+), 25 deletions(-)
> 
> diff --git a/src/qemu/libvirtd_qemu.aug b/src/qemu/libvirtd_qemu.aug
> index 8bc23ba..39b3a34 100644
> --- a/src/qemu/libvirtd_qemu.aug
> +++ b/src/qemu/libvirtd_qemu.aug
> @@ -24,6 +24,8 @@ module Libvirtd_qemu =
>  
>  
>     (* Config entry grouped by function - same order as example config *)
> +   let default_tls_entry = str_entry "default_tls_x509_cert_dir"
> +
>     let vnc_entry = str_entry "vnc_listen"
>                   | bool_entry "vnc_auto_unix_socket"
>                   | bool_entry "vnc_tls"
> @@ -93,7 +95,8 @@ module Libvirtd_qemu =
>     let nvram_entry = str_array_entry "nvram"
>  
>     (* Each entry in the config is one of the following ... *)
> -   let entry = vnc_entry
> +   let entry = default_tls_entry
> +             | vnc_entry
>               | spice_entry
>               | nogfx_entry
>               | remote_display_entry
> diff --git a/src/qemu/qemu.conf b/src/qemu/qemu.conf
> index 7964273..72acdfb 100644
> --- a/src/qemu/qemu.conf
> +++ b/src/qemu/qemu.conf
> @@ -2,6 +2,16 @@
>  # All settings described here are optional - if omitted, sensible
>  # defaults are used.
>  
> +# Use of TLS requires that x509 certificates be issued. The default is
> +# to keep them in /etc/pki/libvirt-default. This directory must contain
> +#
> +#  ca-cert.pem - the CA master certificate
> +#  server-cert.pem - the server certificate signed with ca-cert.pem
> +#  server-key.pem  - the server private key
> +#
> +#default_tls_x509_cert_dir = "/etc/pki/libvirt-default"

Oh, just remembered we should add a

  default_tls_x509_verify = 1|0

to control how we set the 'verify-peer' config option on the TLS
certs (ie whether we mandate the client provide a x509 cert as a
crude form of authorization, as opposed to letting any client
conncect).


Regards,
Daniel
-- 
|: http://berrange.com      -o-    http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org              -o-             http://virt-manager.org :|
|: http://autobuild.org       -o-         http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org       -o-       http://live.gnome.org/gtk-vnc :|

--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list



[Index of Archives]     [Virt Tools]     [Libvirt Users]     [Lib OS Info]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Fedora Tools]